Software compliance rules are one of the most underused features in IT inventory management—and one of the most powerful. When configured correctly, they automatically flag devices that don't meet your security baseline, giving you visibility into risks before they become incidents. Here are five rules every IT team should implement in InventoryOS.
1. Block Known Malware Disguises
Attackers routinely rename malicious executables to look like legitimate software. A trojan might appear as AdobeUpdate.exe, Chrome_Updater.exe, or WindowsDefender.exe. These names exploit user trust and often bypass casual review—especially when they sit next to the real applications in Program Files or Downloads.
Why it matters: Fake updaters and trojanized utilities are among the top delivery mechanisms for ransomware and credential stealers. A compliance rule that matches known bad filenames catches these imposters early, before they execute.
How to set it up: In InventoryOS, go to Software > Compliance Rules and create a new blocked-software rule. Add patterns for common malware disguise names (e.g., *AdobeUpdate*.exe, *Chrome*Updater*.exe, known trojanized utility names). The compliance engine scans your software inventory and flags any device with a match.
2. Enforce Approved Browser Versions
Outdated browsers are the number one entry point for web-based attacks. Drive-by exploits, malicious ads, and phishing pages routinely target known vulnerabilities in older Chrome, Firefox, and Edge builds. Once a browser is behind on patches, it's a sitting duck.
Why it matters: Browser-based attacks don't require user interaction beyond visiting a compromised site. A single device running Chrome 110 when 120 is current can be enough to compromise your network. Compliance rules that require minimum browser versions auto-flag devices that haven't updated.
How to set it up: Create a required-software rule in InventoryOS for each browser (Chrome, Firefox, Edge) with a minimum version. Use the version comparison operator—e.g., "Chrome >= 120" or "Firefox >= 121". Devices below the threshold will appear in your compliance violations dashboard.
3. Detect Unauthorized Remote Access Tools
TeamViewer, AnyDesk, RustDesk, and similar tools are indispensable for legitimate remote support—but when they appear on devices where they're not sanctioned, they represent a serious risk. Shadow IT remote access bypasses your approved support workflows and creates uncontrolled entry points into your environment.
Why it matters: Unauthorized remote tools can be installed by users seeking help from unsanctioned sources, or by attackers who've already gained initial access. Either way, they enable persistence and lateral movement without going through your ticketing system or access controls.
How to set it up: In InventoryOS, create a blocked-software rule that matches remote access tools not on your approved list. Include TeamViewer, AnyDesk, RustDesk, SupRemo, and others. If you have an approved tool (e.g., Bomgar), you can use device-level overrides for support workstations. Any device with a non-approved tool will be flagged.
4. Require Endpoint Protection Software
Every device should have an approved antivirus or EDR solution installed and active. Windows Defender, CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, and similar tools form your last line of defense against malware. When they're missing or disabled, you're flying blind.
Why it matters: Devices without endpoint protection are disproportionately targeted by attackers. They're easier to compromise and persist on. Compliance rules that check for approved AV/EDR catch misconfigured machines, trial expirations, and users who've disabled protection.
How to set it up: Create a required-software rule that specifies at least one approved endpoint protection product (e.g., "Windows Defender" OR "CrowdStrike Falcon" OR "SentinelOne"). InventoryOS checks the software inventory for each device. If none of the approved products are present—or if a product is present but reported as disabled—the device fails compliance.
5. Flag End-of-Life Operating Systems
Windows 7, 8, 8.1, Server 2012, and macOS versions below Ventura no longer receive security updates. They're unsupported, unpatched, and high-value targets for attackers. Even if they "still work," they shouldn't be on your network without a documented exception and compensating controls.
Why it matters: End-of-life OSes accumulate known vulnerabilities with no vendor patches. Ransomware groups and nation-state actors actively exploit these. A single Windows 7 machine can be the pivot point for a full network compromise.
How to set it up: Create a compliance rule that blocks or flags specific OS versions. In InventoryOS, you can define rules that match OS name and version—e.g., block "Windows 7", "Windows 8", "Windows 8.1", "Windows Server 2012", and macOS versions below 13 (Ventura). Devices running these OSes will appear in your violations list so you can prioritize upgrades or isolate them.
Putting It Together
These five rules form a solid baseline: block obvious malware disguises, enforce current browsers, detect shadow IT remote access, require endpoint protection, and flag end-of-life OSes. Implement them in InventoryOS and you'll have continuous visibility into devices that fall outside your security posture—without manual audits or spreadsheets.
Start with one or two rules, tune them based on your environment, then add the rest. Within a few days, you'll have a compliance dashboard that surfaces risks automatically. That's the kind of proactive visibility that prevents incidents instead of reacting to them.